CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Wolfi•added 2026/04/17 8:0 p.m.•7 views

GHSA-965H-392X-2MH5 vulnerabilities

Vulnerabilities for packages: ztunnel, zellij, berg, linkerd2, sccache, qdrant, zizmor, rye, wasmtime, wasm-pack, buck2, sqlx, pixi, linkerd2-proxy, atuin, rustup, cargo-audit, xh, linkerd-extension-init, wasmcloud, ntpd-rs, parseable, linkerd-network-validator, lychee, shadowsocks-rust, tealdeer...

Wolfi•added 2026/04/17 8:0 p.m.•17 views

GHSA-XGP8-3HG3-C2MH vulnerabilities

Chainguard•added 2026/04/17 7:17 p.m.•4 views

GHSA-XGP8-3HG3-C2MH vulnerabilities

Vulnerabilities for packages: lakekeeper, ztunnel, rye, wasmcloud, zola, parseable, linkerd2-cni-plugin, linkerd2-proxy, qdrant, wasm-pack, ztunnel-fips, samply, ntpd-rs, shadowsocks-rust, fnm, xh, linkerd2, mise, zellij, sqlx, linkerd-extension-init, asciinema, garage, rustup, cargo-audit, atuin...

Chainguard•added 2026/04/17 7:17 p.m.•5 views

GHSA-965H-392X-2MH5 vulnerabilities

NVD•added 2026/04/09 5:16 p.m.•1 views

CVE-2026-39957

4.3CVSS0.00208EPSS

Cvelist•added 2026/04/09 4:14 p.m.•18 views

CVE-2026-39957 Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users

2.3CVSS0.00208EPSS

EUVD•added 2026/04/09 4:14 p.m.•1 views

EUVD-2026-20954

2.3CVSS6AI score0.00208EPSS

ATTACKERKB•added 2026/04/09 4:14 p.m.•2 views

CVE-2026-39957

2.3CVSS6AI score0.00208EPSS

Exploits1References4Affected Software1

CVE•added 2026/04/09 4:14 p.m.•14 views

CVE-2026-39957

Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...

4.3CVSS6AI score0.00208EPSS

Exploits1References3Affected Software1

CNNVD•added 2026/04/09 12:0 a.m.•5 views

Lychee 安全漏洞

Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.4 contained security vulnerabilities. These vulnerabilities were caused by an error in the order of SQL operators in the...

4.3CVSS5.9AI score0.00208EPSS

Positive Technologies•added 2026/04/09 12:0 a.m.•4 views

PT-2026-31650

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'user group id' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who ow...

2.3CVSS6AI score0.00208EPSS

Exploits1References4

RedhatCVE•added 2026/03/27 10:51 p.m.•3 views

CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

5.3CVSS5.9AI score0.0026EPSS

RedhatCVE•added 2026/03/27 10:51 p.m.•4 views

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

5.4CVSS6AI score0.00214EPSS

RedhatCVE•added 2026/03/27 10:51 p.m.•2 views

CVE-2026-33644

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...

4.3CVSS5.8AI score0.00217EPSS